Pindah Pindah
Home / Posts / Article

Securing Your Operations: A Deep Dive into JWT Authentication in Pindah's System

March 13, 2026
Securing Your Operations: A Deep Dive into JWT Authentication in Pindah's System

Let's explore how Pindah leverages JWT (JSON Web Tokens) to fortify your business operations, ensuring secure access to modules like Sales & POS, Inventory Management, and more.

Why JWT Matters for Your Business

In today's interconnected world, securing your data is paramount. Traditional authentication methods can be cumbersome and prone to vulnerabilities. JWT offers a streamlined, secure, and efficient way to authenticate users and manage access to the various modules within Pindah's Operations Management System. This is particularly crucial for multi-tenant applications like ours, where data isolation and security are non-negotiable. With JWT, we ensure that only authorized users can access specific resources within the platform, safeguarding sensitive information like financial transactions, employee records, and inventory data.

JWT in Action: Inside Pindah's System

Pindah's architecture relies heavily on JWT for authentication. Let's delve into how it works:

1. Authentication: When a user logs in to our system (via the Angular frontend), their credentials are validated against the ASP.NET Core Identity context (as described in our whitepaper).

2. Token Generation: Upon successful authentication, the server generates a JWT. This token is a digitally signed string containing encoded information (claims) about the user, such as:

  • NameIdentifier: User ID
  • Name: Username
  • Email: User email
  • Role: User roles (e.g., Administrator, Stock Manager, Sales Representative)
  • Permission: Granular permissions (e.g., stock:inventory:view, hr:users:create)
  • OrganisationId: The organization the user belongs to. This is critical for our multi-tenant architecture.

3. Token Storage and Usage: The client-side (Angular) application stores the JWT, typically in local storage or a secure cookie. For every subsequent API request to the ASP.NET Core Web API (the backend), the client includes the JWT in the Authorization header, using the Bearer token scheme.

4. Token Validation: The API (backend) verifies the token's signature, ensuring its authenticity, and checks if the token has expired.

5. Authorization: Based on the claims within the token (roles, permissions, and OrganisationId), the API decides whether to grant access to the requested resource. This is where our granular permission system shines.

Granular Permissions: Controlling Access at Every Level

Our permission system, a core feature of Pindah's system, goes beyond simple role-based access control. With granular permissions, you can define exactly what each user can do within each module. For instance, a "Stock Manager" might have full access to the Stock Management module, including the ability to create, update, and view inventory. However, a "Sales Representative" might only have access to view and update sales orders within the Sales module.

Our permission model uses the format module:resource:action. This allows for extremely fine-grained control:

  • stock:inventory:view - View inventory
  • hr:users:create - Create new users within HR module
  • sales:orders:edit - Edit sales orders

How Permissions are enforced

Pindah utilizes authorization attributes, like [RequirePermission("module:resource:action")], to declaratively protect API endpoints. This means that before any API endpoint executes, the system automatically checks the user's permissions based on the JWT claims.

JWT Best Practices Implemented in Pindah

We've implemented a number of best practices to enhance the security and resilience of our JWT implementation:

  • Secure Token Storage: The client should store the JWT securely. We recommend secure storage mechanisms for web applications.
  • Short Token Lifespans: Tokens have a limited expiration time (default: 60 minutes).
  • Automatic Refresh Tokens: To maintain user sessions without requiring repeated logins, we use automatic token refresh before expiration.
  • Clock Skew Allowance: A small buffer (2 minutes) is used for clock skew between client and server, preventing premature token expiration issues.
  • HTTPS: All communication between the client and server is over HTTPS, protecting the token from interception.
  • Regular Security Audits: We continuously monitor and improve our security posture through regular audits and penetration testing.

Real-World Applications within Pindah's Modules

Consider these examples of how JWT and permission management work in Pindah:

  • Stock Management: A warehouse manager logs in and, based on their JWT claims (permissions), can access all features within the Stock Management module, including creating stock receipts, adjusting inventory levels, and generating reports. A junior employee might only have permissions to view inventory levels.
  • Sales & POS: A sales representative uses the POS module to process a sale. The system verifies their JWT to ensure they have permission to access the POS functions, such as creating sales orders, adding products, and processing payments. The OrganisationId ensures the representative only sees data for their organization.
  • HR & Payroll: An HR manager logs in to the system. Based on their JWT, they have access to employee records, payroll processing, and leave management functions. An employee might only be able to view their own profile and attendance records.

Benefits of using JWT

  • Improved Security: JWTs can be signed using a secret key or a private/public key pair, making them tamper-proof.
  • Stateless Authentication: The server doesn't need to store session data, improving scalability.
  • Simplified Authentication: JWTs are relatively simple to implement.
  • Cross-Domain Authentication: JWTs can be used to authenticate users across different domains.
  • Scalability: The server can easily scale to handle a large number of users.

Conclusion

JWT is at the heart of our security strategy, providing a robust, scalable, and secure solution for authenticating users and controlling access within Pindah's Operations Management System. By implementing best practices and leveraging granular permissions, we ensure that your data is protected and that your team has secure access to the tools they need to succeed.

If you are looking to learn more about the security of your business and streamline your operations, make sure to take a look at our unified operations platform.

Visit our website at https://basa.pindah.org or https://basa.pindah.co.zw, contact us at +263714856897 or email admin@pindah.org.

Back to All Posts